On Fri, Mar 10, 2023 at 10:27?AM Joel GUITTET <jguittet.opensource at witekio.com> wrote:> We currently work on a project that require SSH server with FIPS and > using OpenSSL v3.Gently: this is meaningless. You probably mean one of the following: 1. The SSH server implementation is required to use only cryptographic algorithms that are FIPS-approved. 2. The SSH server implementation is required to be FIPS-validated. If you mean #1, you don?t have to patch anything: it is trivial to configure the various sshd options to permit only FIPS-approved cryptographic algorithms. If you mean #2, then patches aren?t going to help you: being FIPS-validated means that you have submitted your cryptographic module to the NIST CMVP (Cryptographic Module Validation Program), paid the requisite fee, passed, and received a certificate number that others can verify: https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules/Search If your SSH server must be FIPS-validated, then use the CMVP search page (above) to find an OS vendor that submits their OS cryptographic components to the CMVP, run sshd on that OS, and make sure the OS is configured to enforce FIPS validation. (E.g., on a Linux host, pass the ?fips=1? parameter to the kernel via grub, and run ?update-crypto-policies --set FIPS? within the OS to configure the various cryptography libraries to permit only FIPS-approved algorithms.)> Patching OpenSSH for this looks to be a massive job. Is it something > that is considered on your side?No patching of OpenSSH is required.
A third possibility: if what you meant was: 3. We have a project where we are running sshd on a server that uses OpenSSL 3.0 but we are required to run the server in FIPS-enforcing mode and use only FIPS-validated algorithms. ?then the answer might be ?that?s not possible at this time.? Not many OS vendors are shipping OpenSSL 3.0 yet. Red Hat Enterprise Linux 9 uses OpenSSL 3.0, and Red Hat has submitted the RHEL9 cryptographic modules to the CMVP for validation, but they have not yet been granted a certificate: https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search?SearchMode=Basic&ModuleName=red+hat&CertificateStatus=Active&ValidationYear=0 Note that in theory it should be easier to perform CMVP validation of OpenSSL 3.0, because only the fips.so provider needs to be submitted for validation: https://www.redhat.com/en/blog/experience-bringing-openssl-30-rhel-and-fedora But apparently it is more onerous to achieve validation under the FIPS-140-3 program than the (discontinued) FIPS-140-2 program. I do not know if any other Linux/Unix distributions both 1) are shipping OpenSSL 3.0, and 2) have achieved CMVP validation for it.
Hi, James Ralston wrote:> On Fri, Mar 10, 2023 at 10:27?AM Joel GUITTET > <jguittet.opensource at witekio.com> wrote: > > [SNIP] > >> Patching OpenSSH for this looks to be a massive job. Is it something >> that is considered on your side? > No patching of OpenSSH is required.Reality is different . 1.) Some FIPS validated modules limit API use. Program code must use only allowed API for cryptographic operations. 2.) Some PIPS validated modules do not include FIPS allowed algorithms. Program code could inform cryptographic library that "custom" algorithm is allowed n FIPS mode. 3) User friendly program does not require manual configurations. Program must detect that cryptographic module runs in FIPS mode and do not offer or to refuse use of non-FIPS allowed algorithms. Optionally program may force cryptographic module to run in FIPS mode. For protocol all above is part or PKIX-SSH. Regards, Roumen Petrov -- Advanced secure shell implementation with X.509 certificate support http://roumenpetrov.info/secsh/